Allows us to look at the network, enumerate the domain controller, domain policy, domain users group, a lot of difference things, it goes very-very deep with what its capable of doing and again its an PowerShell tool.
Let's say we have access to a shell, then we are going to use that shell and we are going to load the PowerShell and will upload this file and will run powerview. If by any luck you got any RDP access, you know its the machine that the user is not using like server or something and that we have RDP access to it then we can login and do it this way.
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
But here we will directly execute in the victim machine.
Cheat Sheet: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
In CMD
# -ep or -ExecutionPolicy
powershell -ep bypass
. .\\PowerView.ps1
To get the information about the domain
Get-NetDomain
To get the information about the specific domain controller
Get-NetDomainController
Now, you know where to target next or where you angle might be.
To see all the policies in the domain
Get-DomainPolicy
(Get-DomainPolicy)."system access"
To get all the users
Get-NetUser
Get-NetUser | select cn